DSVPN综合实验（NHRP之shortcut模式，证书认证模式）

一、实验目的

通过NAT设备将内网地址映射至外网，在站点间构建VPN隧道，认证方式分别使用预配置密码和证书两种方式实现

二、基础配置

（一）如图所示配置接口地址，在R1上将FW1地址映射至外网

[R1-GigabitEthernet0/0/1]dis th
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 155.1.12.1 255.255.255.0
nat static global 155.1.12.12 inside 10.1.121.12 netmask 255.255.255.255
#

（二）各防火墙配置接口地址并将连接pc、连接路由器、虚拟接口地址加入trust、untrust和dmz区域，在防火墙上及R1上启用ospf并宣告路由10.1.0.0

（三）防火墙配置安全策略

security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 47
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit

三、详细配置

（一）在防火墙上设置虚拟接口，配置gre模式为点到多点，启用nhrp的相应功能，设置ospf网络模式为p2mp实现互联

[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp redirect
nhrp entry multicast dynamic
#

[FW2-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp shortcut
nhrp entry 10.1.0.12 155.1.12.12 register
#

[FW3-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.14 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf timer hello 10
nhrp shortcut
nhrp entry 10.1.0.12 155.1.12.12 register
#

(三）以CA证书方式实现IPsec认证互联

1、打开win server2016，在服务器管理器中配置IIS服务器和AD域服务器，并打开页面http://主机IP地址/certsrv，下载CA根证书并保存至电脑

调整三个防火墙时间与CA保持一致：

[FW1]dis clock

[FW1]clock timezone GMT add 8

2、在CA生成根证书，打开防火墙web管理页面上传根证书，生成本地证书并在向CA申请证书后再上传至防火墙

在防火墙本地证书生成证书

将防火墙所生成的本地证书下载并上传至CA并在CA总申请证书

用记事本打开各防火墙生成的本地证书并将内容粘贴至“保存的申请”中

回到主页查看挂起的证书

打开证书颁发机构

在挂起的申请中进行颁发，并下载

在防火墙本地证书中上传对应的证书

调整IPSEC配置

ipsec proposal DM_SET
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method rsa-signature
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
ike-proposal 10
certificate local-filename fw1-certnew.cer
#
ipsec profile DM_PRO
ike-peer ALL
proposal DM_SET

调整安全策略

security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 47
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit

在R1上调整NAT策略

[R1-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
ip address 155.1.12.1 255.255.255.0
nat server protocol udp global 155.1.12.12 500 inside 10.1.121.12 500
nat server protocol udp global 155.1.12.12 4500 inside 10.1.121.12 4500
#

四、结果验证

（一）节点间通过nhrp获得了地址，通过ospf获得了路由，已能互联

[FW1]dis nhrp peer all

Protocol-addr Mask NBMA-addr NextHop-addr Type Flag

--------------------------------------------------------------------------------
--
10.1.0.13 32 155.1.132.13 10.1.0.13 registered up|unique

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag

--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.142.14 10.1.0.14 registered up|unique

--------------------------------------------------------------------------------

[FW1]dis ospf interface

Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
10.1.12.12 Broadcast DR 1 1 10.1.12.12 0.0.0.0
10.1.121.12 Broadcast BDR 1 1 10.1.121.1 10.1.121.12
10.1.0.12 P2MP P-2-P 1562 1 0.0.0.0 0.0.0.0

PC>tracert 10.1.14.10

traceroute to 10.1.14.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.13.13 <1 ms <1 ms 16 ms
2 10.1.0.14 47 ms 16 ms 46 ms
3 10.1.14.10 47 ms 47 ms 31 ms

（二）通过证书实现IPsec互联，通过

[FW1]dis ospf peer brief
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/0 10.1.121.1 Full
0.0.0.0 Tunnel0 10.1.0.13 Full
0.0.0.0 Tunnel0 10.1.0.14 Full
----------------------------------------------------------------------------

[FW1]dis ike sa

IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
8 155.1.142.14:4500 RD|ST
|A v2:2 IP 155.1.142.14
3 155.1.142.14:4500 RD|A
v2:1 IP 155.1.142.14
7 155.1.132.13:4500 RD|A
v2:2 IP 155.1.132.13
1 155.1.132.13:4500 RD|A
v2:1 IP 155.1.132.13

Number of IKE SA : 4
--------------------------------------------------------------------------------

[FW1]dis nhrp peer all
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag

--------------------------------------------------------------------------------
--
10.1.0.13 32 155.1.132.13 10.1.0.13 registered up|unique

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag

--------------------------------------------------------------------------------
--
10.1.0.14 32 155.1.142.14 10.1.0.14 registered up|unique

--------------------------------------------------------------------------------